docs/data/reusables/webhooks/secret.md

Setting a webhook secret allows you to ensure that POST requests sent to the payload URL are from {% data variables.product.product_name %}. When you set a secret, you'll receive the {% ifversion fpt or ghes > 2.22 %}X-Hub-Signature and X-Hub-Signature-256 headers{% elsif ghes < 3.0 %}X-Hub-Signature header{% elsif ghae %}X-Hub-Signature-256 header{% endif %} in the webhook POST request. For more information on how to use a secret with a signature header to secure your webhook payloads, see "Securing your webhooks."